[Bro] caret and the stick

On 5 Sep 2017, at 14:54, Allen, Brian wrote:
> Here is a line from our conn.log showing what I think is backscatter.
> (Our network is 128.252.0.0/16.)
>>> 128.252.X.Y 57756 111.29.2.3 80 tcp - - -
> - OTH T F 0 ^h 0 0
> 1 44
>> So in this example, what was flipped exactly?
Good question! For background, Bro "flips" connections in there case
that it thinks it has orig and resp backwards. You nailed a very common
case where this will be true. Since backscatter will frequently have a
server port as the src port the "correct" way to view that connection
(if it was an actual full connection) would be to "flip" it and swap the
orig and resp.
In the case that you outlined, 111.29.2.3 sent a single packet (a
syn-ack based on the history field) with src port 80 and dst port 57756
(the likely actual ephemeral port). Since Bro initially had no context,
it viewed 111.29.2.3 as the originator since it was the first host that
seemed to send a packet. But, 80/tcp is registered as a likely server
port and no other analyzers attached to the connection so Bro flipped it
so that the likely server port was the resp_p.
.Seth
--
Seth Hall * Corelight, Inc * www.corelight.com